From patchwork Thu Jun 30 16:23:01 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 9690 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3F962CCA480 for ; Thu, 30 Jun 2022 16:23:32 +0000 (UTC) Received: from mail-pg1-f170.google.com (mail-pg1-f170.google.com [209.85.215.170]) by mx.groups.io with SMTP id smtpd.web09.27525.1656606207758032110 for ; Thu, 30 Jun 2022 09:23:27 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=N9Ihc6Tb; spf=softfail (domain: sakoman.com, ip: 209.85.215.170, mailfrom: steve@sakoman.com) Received: by mail-pg1-f170.google.com with SMTP id h192so18991500pgc.4 for ; Thu, 30 Jun 2022 09:23:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=uNRtTEzYSP7UHrjspShU6jKKywnxxQ4n7c1xSpOKXS8=; b=N9Ihc6TbJUPxkv2igzxTtOu4huHYR+K+e1oSYbjfrznmz8azMaG81sZ2OqwvBR7Ige AR5ion512Y4RK7kkPWdkjieFmfHwf6VvnwS/fbgikzcGI58R5bwl2nZSH2DDCboRfmoi x3F9KQ4Hynf05Q99oOLS3j0CS/PnVQcGl072BEAw532SMG9MV7gYJmSaA3RI9SkO3tFY 8uoLDe0KD0zLSjwxAKLfG2CyPX1oIEuu58WC7fAjIIP+JPCx5BVE/ZSpQDf/nJExa1ic p06rAap/y+crBKKo3tQ7bPTdy4OseaA1hrY1fvtIgh/0Y4sHe8Riw6jfrgS9foalCBSh /a0g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=uNRtTEzYSP7UHrjspShU6jKKywnxxQ4n7c1xSpOKXS8=; b=1UJ0llcYvbF3rll6Fe+sAeaBDdkK0DKKGUCa9v0d+ralkdw0nOgwTNJqurH976GYCZ ILS1AWFqAyfECRW3s1bW9PitvPMGno48f+ol0Lyv3GARWJvoQxOvBUblJew2i39RuiEU 2hne+BrZPPLLcH6u7ewKdWjvD/quEi9KDG9qyRe6doTWfxdM5nLgJgRX0h1AqCitT/cA ROgFoXxD+BHMnIA9W2mVIBezmohAzW6TA8TDtaiiNupeJitqJIzK5RGNjHg3pLQIKL7e iEhC9DYjSh3eHOPMtkKHqA50JIzG/0hw0xmWrX3IAzrMkrp4la/Id+X5a/AASkBt+mUO 5q2g== X-Gm-Message-State: AJIora9J3uvl8rD4KTIFzCWbzuk8/0roYne4AsNxpmOX67Xpu/XytZXG CjlpfegZuW5URZ5MOT3WtthVGivY2Nfdf+Qz X-Google-Smtp-Source: AGRyM1vZfx0WD+PuFWgpdOBmVYsGtHvxqNlBxoIUa31DfQBLbeM2kemaiRHvf5pb3j9Fvzfy7lVE3g== X-Received: by 2002:a63:1710:0:b0:40d:dd27:789b with SMTP id x16-20020a631710000000b0040ddd27789bmr8260789pgl.386.1656606206467; Thu, 30 Jun 2022 09:23:26 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id t129-20020a625f87000000b005259578e8fcsm10517611pfb.181.2022.06.30.09.23.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jun 2022 09:23:25 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 01/12] golang: CVE-2022-24675 encoding/pem: fix stack overflow in Decode Date: Thu, 30 Jun 2022 06:23:01 -1000 Message-Id: <6625e24a6143765ce2e4e08d25e3fe021bc2cdf6.1656605800.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 30 Jun 2022 16:23:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/167417 From: Hitendra Prajapati Source: https://go-review.googlesource.com/c/go MR: 117551 Type: Security Fix Disposition: Backport from https://go-review.googlesource.com/c/go/+/399816/ ChangeID: 347f22f93e8eaecb3d39f8d6c0fe5a70c5cf7b7c Description: CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode. Signed-off-by: Hitendra Prajapati Signed-off-by: Steve Sakoman --- meta/recipes-devtools/go/go-1.14.inc | 1 + .../go/go-1.14/CVE-2022-24675.patch | 271 ++++++++++++++++++ 2 files changed, 272 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-24675.patch diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index 4827c6adfa..773d252bd1 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc @@ -23,6 +23,7 @@ SRC_URI += "\ file://CVE-2022-23806.patch \ file://CVE-2022-23772.patch \ file://CVE-2021-44717.patch \ + file://CVE-2022-24675.patch \ " SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-24675.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-24675.patch new file mode 100644 index 0000000000..4bc012be21 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-24675.patch @@ -0,0 +1,271 @@ +From 1eb931d60a24501a9668e5cb4647593e19115507 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati +Date: Fri, 17 Jun 2022 12:22:53 +0530 +Subject: [PATCH] CVE-2022-24675 + +Upstream-Status: Backport [https://go-review.googlesource.com/c/go/+/399816/] +CVE: CVE-2022-24675 +Signed-off-by: Hitendra Prajapati +--- + src/encoding/pem/pem.go | 174 +++++++++++++++-------------------- + src/encoding/pem/pem_test.go | 28 +++++- + 2 files changed, 101 insertions(+), 101 deletions(-) + +diff --git a/src/encoding/pem/pem.go b/src/encoding/pem/pem.go +index a7272da..1bee1c1 100644 +--- a/src/encoding/pem/pem.go ++++ b/src/encoding/pem/pem.go +@@ -87,123 +87,97 @@ func Decode(data []byte) (p *Block, rest []byte) { + // pemStart begins with a newline. However, at the very beginning of + // the byte array, we'll accept the start string without it. + rest = data +- if bytes.HasPrefix(data, pemStart[1:]) { +- rest = rest[len(pemStart)-1 : len(data)] +- } else if i := bytes.Index(data, pemStart); i >= 0 { +- rest = rest[i+len(pemStart) : len(data)] +- } else { +- return nil, data +- } +- +- typeLine, rest := getLine(rest) +- if !bytes.HasSuffix(typeLine, pemEndOfLine) { +- return decodeError(data, rest) +- } +- typeLine = typeLine[0 : len(typeLine)-len(pemEndOfLine)] +- +- p = &Block{ +- Headers: make(map[string]string), +- Type: string(typeLine), +- } +- + for { +- // This loop terminates because getLine's second result is +- // always smaller than its argument. +- if len(rest) == 0 { ++ if bytes.HasPrefix(rest, pemStart[1:]) { ++ rest = rest[len(pemStart)-1:] ++ } else if i := bytes.Index(rest, pemStart); i >= 0 { ++ rest = rest[i+len(pemStart) : len(rest)] ++ } else { + return nil, data + } +- line, next := getLine(rest) + +- i := bytes.IndexByte(line, ':') +- if i == -1 { +- break ++ var typeLine []byte ++ typeLine, rest = getLine(rest) ++ if !bytes.HasSuffix(typeLine, pemEndOfLine) { ++ continue + } ++ typeLine = typeLine[0 : len(typeLine)-len(pemEndOfLine)] + +- // TODO(agl): need to cope with values that spread across lines. +- key, val := line[:i], line[i+1:] +- key = bytes.TrimSpace(key) +- val = bytes.TrimSpace(val) +- p.Headers[string(key)] = string(val) +- rest = next +- } ++ p = &Block{ ++ Headers: make(map[string]string), ++ Type: string(typeLine), ++ } + +- var endIndex, endTrailerIndex int ++ for { ++ // This loop terminates because getLine's second result is ++ // always smaller than its argument. ++ if len(rest) == 0 { ++ return nil, data ++ } ++ line, next := getLine(rest) + +- // If there were no headers, the END line might occur +- // immediately, without a leading newline. +- if len(p.Headers) == 0 && bytes.HasPrefix(rest, pemEnd[1:]) { +- endIndex = 0 +- endTrailerIndex = len(pemEnd) - 1 +- } else { +- endIndex = bytes.Index(rest, pemEnd) +- endTrailerIndex = endIndex + len(pemEnd) +- } ++ i := bytes.IndexByte(line, ':') ++ if i == -1 { ++ break ++ } + +- if endIndex < 0 { +- return decodeError(data, rest) +- } ++ // TODO(agl): need to cope with values that spread across lines. ++ key, val := line[:i], line[i+1:] ++ key = bytes.TrimSpace(key) ++ val = bytes.TrimSpace(val) ++ p.Headers[string(key)] = string(val) ++ rest = next ++ } + +- // After the "-----" of the ending line, there should be the same type +- // and then a final five dashes. +- endTrailer := rest[endTrailerIndex:] +- endTrailerLen := len(typeLine) + len(pemEndOfLine) +- if len(endTrailer) < endTrailerLen { +- return decodeError(data, rest) +- } ++ var endIndex, endTrailerIndex int + +- restOfEndLine := endTrailer[endTrailerLen:] +- endTrailer = endTrailer[:endTrailerLen] +- if !bytes.HasPrefix(endTrailer, typeLine) || +- !bytes.HasSuffix(endTrailer, pemEndOfLine) { +- return decodeError(data, rest) +- } ++ // If there were no headers, the END line might occur ++ // immediately, without a leading newline. ++ if len(p.Headers) == 0 && bytes.HasPrefix(rest, pemEnd[1:]) { ++ endIndex = 0 ++ endTrailerIndex = len(pemEnd) - 1 ++ } else { ++ endIndex = bytes.Index(rest, pemEnd) ++ endTrailerIndex = endIndex + len(pemEnd) ++ } + +- // The line must end with only whitespace. +- if s, _ := getLine(restOfEndLine); len(s) != 0 { +- return decodeError(data, rest) +- } ++ if endIndex < 0 { ++ continue ++ } + +- base64Data := removeSpacesAndTabs(rest[:endIndex]) +- p.Bytes = make([]byte, base64.StdEncoding.DecodedLen(len(base64Data))) +- n, err := base64.StdEncoding.Decode(p.Bytes, base64Data) +- if err != nil { +- return decodeError(data, rest) +- } +- p.Bytes = p.Bytes[:n] ++ // After the "-----" of the ending line, there should be the same type ++ // and then a final five dashes. ++ endTrailer := rest[endTrailerIndex:] ++ endTrailerLen := len(typeLine) + len(pemEndOfLine) ++ if len(endTrailer) < endTrailerLen { ++ continue ++ } ++ ++ restOfEndLine := endTrailer[endTrailerLen:] ++ endTrailer = endTrailer[:endTrailerLen] ++ if !bytes.HasPrefix(endTrailer, typeLine) || ++ !bytes.HasSuffix(endTrailer, pemEndOfLine) { ++ continue ++ } + +- // the -1 is because we might have only matched pemEnd without the +- // leading newline if the PEM block was empty. +- _, rest = getLine(rest[endIndex+len(pemEnd)-1:]) ++ // The line must end with only whitespace. ++ if s, _ := getLine(restOfEndLine); len(s) != 0 { ++ continue ++ } + +- return +-} ++ base64Data := removeSpacesAndTabs(rest[:endIndex]) ++ p.Bytes = make([]byte, base64.StdEncoding.DecodedLen(len(base64Data))) ++ n, err := base64.StdEncoding.Decode(p.Bytes, base64Data) ++ if err != nil { ++ continue ++ } ++ p.Bytes = p.Bytes[:n] + +-func decodeError(data, rest []byte) (*Block, []byte) { +- // If we get here then we have rejected a likely looking, but +- // ultimately invalid PEM block. We need to start over from a new +- // position. We have consumed the preamble line and will have consumed +- // any lines which could be header lines. However, a valid preamble +- // line is not a valid header line, therefore we cannot have consumed +- // the preamble line for the any subsequent block. Thus, we will always +- // find any valid block, no matter what bytes precede it. +- // +- // For example, if the input is +- // +- // -----BEGIN MALFORMED BLOCK----- +- // junk that may look like header lines +- // or data lines, but no END line +- // +- // -----BEGIN ACTUAL BLOCK----- +- // realdata +- // -----END ACTUAL BLOCK----- +- // +- // we've failed to parse using the first BEGIN line +- // and now will try again, using the second BEGIN line. +- p, rest := Decode(rest) +- if p == nil { +- rest = data ++ // the -1 is because we might have only matched pemEnd without the ++ // leading newline if the PEM block was empty. ++ _, rest = getLine(rest[endIndex+len(pemEnd)-1:]) ++ return p, rest + } +- return p, rest + } + + const pemLineLength = 64 +diff --git a/src/encoding/pem/pem_test.go b/src/encoding/pem/pem_test.go +index 8515b46..4485581 100644 +--- a/src/encoding/pem/pem_test.go ++++ b/src/encoding/pem/pem_test.go +@@ -107,6 +107,12 @@ const pemMissingEndingSpace = ` + dGVzdA== + -----ENDBAR-----` + ++const pemMissingEndLine = ` ++-----BEGIN FOO----- ++Header: 1` ++ ++var pemRepeatingBegin = strings.Repeat("-----BEGIN \n", 10) ++ + var badPEMTests = []struct { + name string + input string +@@ -131,14 +137,34 @@ var badPEMTests = []struct { + "missing ending space", + pemMissingEndingSpace, + }, ++ { ++ "repeating begin", ++ pemRepeatingBegin, ++ }, ++ { ++ "missing end line", ++ pemMissingEndLine, ++ }, + } + + func TestBadDecode(t *testing.T) { + for _, test := range badPEMTests { +- result, _ := Decode([]byte(test.input)) ++ result, rest := Decode([]byte(test.input)) + if result != nil { + t.Errorf("unexpected success while parsing %q", test.name) + } ++ if string(rest) != test.input { ++ t.Errorf("unexpected rest: %q; want = %q", rest, test.input) ++ } ++ } ++} ++ ++func TestCVE202224675(t *testing.T) { ++ // Prior to CVE-2022-24675, this input would cause a stack overflow. ++ input := []byte(strings.Repeat("-----BEGIN \n", 10000000)) ++ result, rest := Decode(input) ++ if result != nil || !reflect.DeepEqual(rest, input) { ++ t.Errorf("Encode of %#v decoded as %#v", input, rest) + } + } + +-- +2.25.1 + From patchwork Thu Jun 30 16:23:02 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 9688 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3E862C433EF for ; Thu, 30 Jun 2022 16:23:32 +0000 (UTC) Received: from mail-pg1-f171.google.com (mail-pg1-f171.google.com [209.85.215.171]) by mx.groups.io with SMTP id smtpd.web10.27163.1656606209884475326 for ; Thu, 30 Jun 2022 09:23:29 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=ILJRwT61; spf=softfail (domain: sakoman.com, ip: 209.85.215.171, mailfrom: steve@sakoman.com) Received: by mail-pg1-f171.google.com with SMTP id v126so14800328pgv.11 for ; Thu, 30 Jun 2022 09:23:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=OI0w7KPV8py56QSfjrY+OCGWl6ezNXZRe8dGFEJHSdA=; b=ILJRwT61XIwBtJJjWmK2DbZcq0jQqIudFhKFoaEWl9ExSzAcKBPbEzH2PKiOYdguxm 5XO/BRRSOA4M/anIWuOEdEgM79li5KSxZOT2mK+vgSDgFvWJqdog0m3dQSPGg4yP8i7F fPt4rwznj9nC7mncvuuXBexCCvDDXpsMFVQbiPBcdQp3y9friYW/bEXd7iKqmifkDDKC H3RfvsOSZbkRbwcN/z2478oDXf0GBMBxMz1opjDtDM1CikG/0D0+jQS9CnEPNHYEVFxW tI/caP+yXmeJ4oYErgJtvRrBBGnEQF3w+9gLrf1CjE1USNNmIoGxlLTzVRrvdFBgyegB YmwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=OI0w7KPV8py56QSfjrY+OCGWl6ezNXZRe8dGFEJHSdA=; b=f2wnuLwg8b/z+1AchXAaCTpBUIYGBEtdQCTnDmwmulCepCleLzJ+nRuhBH+IDLTpYH bLpjkZhf6Gb/YvFs7ejy/YbvgB9TU0apbNUtai868rjBnTVofnwsL9b4lK6d5nQN9pvZ u7wnq20gTcMT5dxFNjw7gOmXYo6d9tLHyyHY8CIHQeNgfEtiYjW6sw5KSaJGkkllkH/O 291J2ea6uDuX7COI37TorKSGpz0O2/CftDNox4RH2jKoZJQps7pJ5Uly8KMSY2y4q1Bc nZ+wl2gP4UHt9dSwFxSBZLe4eGvE8Xk8CxfVra/RPQMETYf5J8vEENy1Kng1pUGKWQAO IsTw== X-Gm-Message-State: AJIora+JrSPI0bL2kNL6dcsk605w4gorxNICvCSzFMHbN3yfWfs6Z23K ra+OTdOXnROfg5vMCCTOa4xXHCq9hRuBTLRg X-Google-Smtp-Source: AGRyM1vCCJdOBHiZ1YIeBhfojpI1lFQwzQNv3U9c+fX51sl1IXKx7/4cjz89p3IafNrATxR5CAQ8Iw== X-Received: by 2002:a63:1809:0:b0:408:417a:6fa5 with SMTP id y9-20020a631809000000b00408417a6fa5mr8444341pgl.228.1656606208661; Thu, 30 Jun 2022 09:23:28 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id t129-20020a625f87000000b005259578e8fcsm10517611pfb.181.2022.06.30.09.23.27 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jun 2022 09:23:28 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 02/12] golang: CVE-2021-31525 net/http: panic in ReadRequest and ReadResponse when reading a very large header Date: Thu, 30 Jun 2022 06:23:02 -1000 Message-Id: <2850ef58f2a39a5ab19b1062d1b50160fec4daa8.1656605800.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 30 Jun 2022 16:23:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/167418 From: Hitendra Prajapati Source: https://github.com/argoheyard/lang-net MR: 114874 Type: Security Fix Disposition: Backport from https://github.com/argoheyard/lang-net/commit/701957006ef151feb43f86aa99c8a1f474f69282 ChangeID: bd3c4f9f44dd1c45e810172087004778522d28eb Description: CVE-2021-31525 golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header. Signed-off-by: Hitendra Prajapati Signed-off-by: Steve Sakoman --- meta/recipes-devtools/go/go-1.14.inc | 1 + .../go/go-1.14/CVE-2021-31525.patch | 38 +++++++++++++++++++ 2 files changed, 39 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2021-31525.patch diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index 773d252bd1..b160222f76 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc @@ -24,6 +24,7 @@ SRC_URI += "\ file://CVE-2022-23772.patch \ file://CVE-2021-44717.patch \ file://CVE-2022-24675.patch \ + file://CVE-2021-31525.patch \ " SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-31525.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-31525.patch new file mode 100644 index 0000000000..afe4b0d2b8 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-31525.patch @@ -0,0 +1,38 @@ +From efb465ada003d23353a91ef930be408eb575dba6 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati +Date: Thu, 16 Jun 2022 17:40:12 +0530 +Subject: [PATCH] CVE-2021-31525 + +Upstream-Status: Backport [https://github.com/argoheyard/lang-net/commit/701957006ef151feb43f86aa99c8a1f474f69282] +CVE: CVE-2021-31525 +Signed-off-by: Hitendra Prajapati + +--- + src/vendor/golang.org/x/net/http/httpguts/httplex.go | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/src/vendor/golang.org/x/net/http/httpguts/httplex.go b/src/vendor/golang.org/x/net/http/httpguts/httplex.go +index e7de24e..c79aa73 100644 +--- a/src/vendor/golang.org/x/net/http/httpguts/httplex.go ++++ b/src/vendor/golang.org/x/net/http/httpguts/httplex.go +@@ -137,11 +137,13 @@ func trimOWS(x string) string { + // contains token amongst its comma-separated tokens, ASCII + // case-insensitively. + func headerValueContainsToken(v string, token string) bool { +- v = trimOWS(v) +- if comma := strings.IndexByte(v, ','); comma != -1 { +- return tokenEqual(trimOWS(v[:comma]), token) || headerValueContainsToken(v[comma+1:], token) ++ for comma := strings.IndexByte(v, ','); comma != -1; comma = strings.IndexByte(v, ',') { ++ if tokenEqual(trimOWS(v[:comma]), token) { ++ return true ++ } ++ v = v[comma+1:] + } +- return tokenEqual(v, token) ++ return tokenEqual(trimOWS(v), token) + } + + // lowerASCII returns the ASCII lowercase version of b. +-- +2.25.1 + From patchwork Thu Jun 30 16:23:03 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 9691 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2EBFCCCA480 for ; Thu, 30 Jun 2022 16:23:42 +0000 (UTC) Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com [209.85.215.182]) by mx.groups.io with SMTP id smtpd.web11.27117.1656606211880564986 for ; Thu, 30 Jun 2022 09:23:32 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=jGVUHv2x; spf=softfail (domain: sakoman.com, ip: 209.85.215.182, mailfrom: steve@sakoman.com) Received: by mail-pg1-f182.google.com with SMTP id 145so4854956pga.12 for ; Thu, 30 Jun 2022 09:23:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=jlT6NQjuwdquyiNXIDO43FGAnHnQlbT2OlJeGzBn9GU=; b=jGVUHv2x47/0WNehh4XLGBh8s6Sv5L/uu9s35Tdrh4EQramSKlQHtDxo8YDWQ4CD6M zal+lEKh5DrVZgAZda70WsBUKUFNQ37N9DMXCrTjVkG4wgyvqFUsIOKkx/6INEmqo/62 jGlwD4P8llsS5lvdo0JWMO/xrOQ1kNMS6AVjVKmB+Yj197/wDz1Jz7EZ9YIAF+1NNYPp 4GLar6/kp6BgZg6zeJjCgOscEcu02sy/awhXBHuN7giHVmBNjcXMMq4mHNFNSeVXYKnA +0pEUjdUMF12SZm0QxtHswqlluew9QSKhAxWvksgbjnU3CI+xouj+54HRQq8+vmuEkVE ++tg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=jlT6NQjuwdquyiNXIDO43FGAnHnQlbT2OlJeGzBn9GU=; b=ukjRUE3PNQzCbKnHbeaIKLCsoPg+flxGQCJYBe4Am3tN2UAhovlSpBpKH1KfTuxHce 7qKwlt3UIUtVkv2H1FQNP5b+xpMisqYE4yutggDf+D59At4r02K0A7+RuM7OGdHyHBA7 i/ZkPTRKRoh/bfR/wHwdphMiypfUGkvCUzt5S/Vabs+qKbvO4UPFlqFQUkAp4ktnRVXT EfJd6+ji4tecm+hKzw9hguJI8PrIV6TpvW4gJbRH7EmsU2/94V4wmMpiRlLbch7M6r2s n6mzy3Vhj8PjVA2UK+wzKMbCvf9AixwCeaX35AdmdbdsebbnxWJAYi0pl/4vrxbKgzF5 eocw== X-Gm-Message-State: AJIora/dpafOaqDNtLwJr2VsOTdLbHTXqInk8p6FgaJZg/TG8MkmWYOT qijZEOqd6OwOBuCmctjZWnLvSKbDAn8px1oo X-Google-Smtp-Source: AGRyM1vYIBRBQMndmZ7iZL0W0I5RmTyoWjy5i+zjv+7L39ai3g8xclSdrJ0pHqx30rVSxvm9NzR+fg== X-Received: by 2002:a63:6947:0:b0:40d:9b49:12d6 with SMTP id e68-20020a636947000000b0040d9b4912d6mr8359523pgc.149.1656606210723; Thu, 30 Jun 2022 09:23:30 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id t129-20020a625f87000000b005259578e8fcsm10517611pfb.181.2022.06.30.09.23.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jun 2022 09:23:30 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 03/12] unzip: fix CVE-2021-4217 Date: Thu, 30 Jun 2022 06:23:03 -1000 Message-Id: <357791da82f767ad695e4476aa12fea3d7db5e04.1656605800.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 30 Jun 2022 16:23:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/167419 From: Joe Slater Avoid a null pointer dereference. Signed-off-by: Joe Slater Signed-off-by: Alexandre Belloni (cherry picked from commit 36db85b9b127e5a9f5d3d6e428168cf597ab95f3) Signed-off-by: Steve Sakoman --- .../unzip/unzip/CVE-2021-4217.patch | 67 +++++++++++++++++++ meta/recipes-extended/unzip/unzip_6.0.bb | 1 + 2 files changed, 68 insertions(+) create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch diff --git a/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch b/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch new file mode 100644 index 0000000000..6ba2b879a3 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch @@ -0,0 +1,67 @@ +From 731d698377dbd1f5b1b90efeb8094602ed59fc40 Mon Sep 17 00:00:00 2001 +From: Nils Bars +Date: Mon, 17 Jan 2022 16:53:16 +0000 +Subject: [PATCH] Fix null pointer dereference and use of uninitialized data + +This fixes a bug that causes use of uninitialized heap data if `readbuf` fails +to read as many bytes as indicated by the extra field length attribute. +Furthermore, this fixes a null pointer dereference if an archive contains an +`EF_UNIPATH` extra field but does not have a filename set. +--- + fileio.c | 5 ++++- + process.c | 6 +++++- + 2 files changed, 9 insertions(+), 2 deletions(-) +--- + +Patch from: +https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077 +https://launchpadlibrarian.net/580782282/0001-Fix-null-pointer-dereference-and-use-of-uninitialized-data.patch +Regenerated to apply without offsets. + +CVE: CVE-2021-4217 + +Upstream-Status: Pending [infozip upstream inactive] + +Signed-off-by: Joe Slater + + +diff --git a/fileio.c b/fileio.c +index 14460f3..1dc319e 100644 +--- a/fileio.c ++++ b/fileio.c +@@ -2301,8 +2301,11 @@ int do_string(__G__ length, option) /* return PK-type error code */ + seek_zipf(__G__ G.cur_zipfile_bufstart - G.extra_bytes + + (G.inptr-G.inbuf) + length); + } else { +- if (readbuf(__G__ (char *)G.extra_field, length) == 0) ++ unsigned bytes_read = readbuf(__G__ (char *)G.extra_field, length); ++ if (bytes_read == 0) + return PK_EOF; ++ if (bytes_read != length) ++ return PK_ERR; + /* Looks like here is where extra fields are read */ + if (getZip64Data(__G__ G.extra_field, length) != PK_COOL) + { +diff --git a/process.c b/process.c +index 5f8f6c6..de843a5 100644 +--- a/process.c ++++ b/process.c +@@ -2058,10 +2058,14 @@ int getUnicodeData(__G__ ef_buf, ef_len) + G.unipath_checksum = makelong(offset + ef_buf); + offset += 4; + ++ if (!G.filename_full) { ++ /* Check if we have a unicode extra section but no filename set */ ++ return PK_ERR; ++ } ++ + /* + * Compute 32-bit crc + */ +- + chksum = crc32(chksum, (uch *)(G.filename_full), + strlen(G.filename_full)); + +-- +2.32.0 + diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb index af5530ab38..3e253afe65 100644 --- a/meta/recipes-extended/unzip/unzip_6.0.bb +++ b/meta/recipes-extended/unzip/unzip_6.0.bb @@ -26,6 +26,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0/ file://CVE-2019-13232_p1.patch \ file://CVE-2019-13232_p2.patch \ file://CVE-2019-13232_p3.patch \ + file://CVE-2021-4217.patch \ " UPSTREAM_VERSION_UNKNOWN = "1" From patchwork Thu Jun 30 16:23:04 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 9692 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 39A5FCCA482 for ; Thu, 30 Jun 2022 16:23:42 +0000 (UTC) Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com [209.85.210.182]) by mx.groups.io with SMTP id smtpd.web09.27529.1656606214171091060 for ; Thu, 30 Jun 2022 09:23:34 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=E1RPjZV6; spf=softfail (domain: sakoman.com, ip: 209.85.210.182, mailfrom: steve@sakoman.com) Received: by mail-pf1-f182.google.com with SMTP id y141so784176pfb.7 for ; Thu, 30 Jun 2022 09:23:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=X2lASPNIM3GENAnXfLUDW63G/RlsVize69KUba40Bkw=; b=E1RPjZV61ptXdS1RRgXhaOnbOHSiIWAYxOdN91ycwUGFAAkznmxPXkXtnZHhJkEAGS ZpIIYNljw7u8LG0FGp+m5avsjXS2bumBsdVQamVVV1xDRMgkBzWS3MsSQneNYjEnxcET cpBqlH11IKL3KlIZYyG0HXhGEPST9nEpshhtC3fSq+7j201r0vrAe3C7kC7zKC9lNYHw rFlcGtYJI47evgOhpybbiTbJbFjPzf4ig7MAFjvr1gsCCfLrc86tKj3jd08bXW4HdQ+K rbisMY4kFS6RhCdqrG5UCj098FKQyq0+LR8x7S/jpEiGc9WChL8pTlL3Y2gfRtqKCFTe WMxQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=X2lASPNIM3GENAnXfLUDW63G/RlsVize69KUba40Bkw=; b=JM/Z0IymKSn50aF366OkrABe8fb+1H/0dC5jENX+PWL0UE5na9/rG+Yw0gMSkb7eaQ LUeZvENXMs4oQ7HxIoAdvAwghIHMVBT6KD7K+iX91XnXqkzAWvgy3MZ8TDsycgIESUtV sYgquOXFwxGdPYwQdtP/rlFD9IRcdVDEq0ShBSVcZOLqnrCJlTDtxJRJ8m7BX2EvVD1B JrPAtKqkWMz+Xw/cgboAUed2asp6pe0ZbPNjieK0l20dSff6ihNBieO7vBCwXEIEgfa6 z0pbEONIntyYlg75OxsNbQEWZrvCGmmFhf7unXUgCBh/gtTcojhfYv36Jx05PT4rHo7L UNGw== X-Gm-Message-State: AJIora/qycDT8ymynfHnmsOlXYGUiW578LlL1kiQqoKfVAQ4v13c9NQy 0FkKgdjikWN4RpneJTqF0gmGKbq9yUZIIKiM X-Google-Smtp-Source: AGRyM1tJTI75Lo8P0UmxueOFyTf6Dghka+nDttTpbCMGj5Z+FhJ4Y7fvB0cT4mgSn/Z5N8AelsDoOA== X-Received: by 2002:a63:545:0:b0:40d:8232:c36f with SMTP id 66-20020a630545000000b0040d8232c36fmr8284364pgf.622.1656606212934; Thu, 30 Jun 2022 09:23:32 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id t129-20020a625f87000000b005259578e8fcsm10517611pfb.181.2022.06.30.09.23.31 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jun 2022 09:23:32 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 04/12] unzip: Port debian fixes for two CVEs Date: Thu, 30 Jun 2022 06:23:04 -1000 Message-Id: <097469513f6dea7c678438e71a152f4e77fe670d.1656605800.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 30 Jun 2022 16:23:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/167420 From: Richard Purdie Add two fixes from debian for two CVEs. From: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010355 I wans't able to get the reproducers to work but the added error checking isn't probably a bad thing. Signed-off-by: Richard Purdie (cherry picked from commit 054be00a632c2918dd1f973e76514e459fc6f017) Signed-off-by: Steve Sakoman --- .../unzip/unzip/CVE-2022-0529.patch | 39 +++++++++++++++++++ .../unzip/unzip/CVE-2022-0530.patch | 33 ++++++++++++++++ meta/recipes-extended/unzip/unzip_6.0.bb | 2 + 3 files changed, 74 insertions(+) create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2022-0529.patch create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2022-0530.patch diff --git a/meta/recipes-extended/unzip/unzip/CVE-2022-0529.patch b/meta/recipes-extended/unzip/unzip/CVE-2022-0529.patch new file mode 100644 index 0000000000..1c1e120deb --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/CVE-2022-0529.patch @@ -0,0 +1,39 @@ +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010355 + +CVE: CVE-2022-0529 +Upstream-Status: Inactive-Upstream [need a new release] + +diff --git a/process.c b/process.c +index d2a846e..99b9c7b 100644 +--- a/process.c ++++ b/process.c +@@ -2507,13 +2507,15 @@ char *wide_to_local_string(wide_string, escape_all) + char buf[9]; + char *buffer = NULL; + char *local_string = NULL; ++ size_t buffer_size; + + for (wsize = 0; wide_string[wsize]; wsize++) ; + + if (max_bytes < MAX_ESCAPE_BYTES) + max_bytes = MAX_ESCAPE_BYTES; + +- if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) { ++ buffer_size = wsize * max_bytes + 1; ++ if ((buffer = (char *)malloc(buffer_size)) == NULL) { + return NULL; + } + +@@ -2552,7 +2554,11 @@ char *wide_to_local_string(wide_string, escape_all) + /* no MB for this wide */ + /* use escape for wide character */ + char *escape_string = wide_to_escape_string(wide_string[i]); +- strcat(buffer, escape_string); ++ size_t buffer_len = strlen(buffer); ++ size_t escape_string_len = strlen(escape_string); ++ if (buffer_len + escape_string_len + 1 > buffer_size) ++ escape_string_len = buffer_size - buffer_len - 1; ++ strncat(buffer, escape_string, escape_string_len); + free(escape_string); + } + } diff --git a/meta/recipes-extended/unzip/unzip/CVE-2022-0530.patch b/meta/recipes-extended/unzip/unzip/CVE-2022-0530.patch new file mode 100644 index 0000000000..363dafddc9 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/CVE-2022-0530.patch @@ -0,0 +1,33 @@ +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010355 + +CVE: CVE-2022-0530 +Upstream-Status: Inactive-Upstream [need a new release] + +diff --git a/fileio.c b/fileio.c +index 6290824..77e4b5f 100644 +--- a/fileio.c ++++ b/fileio.c +@@ -2361,6 +2361,9 @@ int do_string(__G__ length, option) /* return PK-type error code */ + /* convert UTF-8 to local character set */ + fn = utf8_to_local_string(G.unipath_filename, + G.unicode_escape_all); ++ if (fn == NULL) ++ return PK_ERR; ++ + /* make sure filename is short enough */ + if (strlen(fn) >= FILNAMSIZ) { + fn[FILNAMSIZ - 1] = '\0'; +diff --git a/process.c b/process.c +index d2a846e..715bc0f 100644 +--- a/process.c ++++ b/process.c +@@ -2605,6 +2605,8 @@ char *utf8_to_local_string(utf8_string, escape_all) + int escape_all; + { + zwchar *wide = utf8_to_wide_string(utf8_string); ++ if (wide == NULL) ++ return NULL; + char *loc = wide_to_local_string(wide, escape_all); + free(wide); + return loc; + diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb index 3e253afe65..fa57c8f5bd 100644 --- a/meta/recipes-extended/unzip/unzip_6.0.bb +++ b/meta/recipes-extended/unzip/unzip_6.0.bb @@ -27,6 +27,8 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0/ file://CVE-2019-13232_p2.patch \ file://CVE-2019-13232_p3.patch \ file://CVE-2021-4217.patch \ + file://CVE-2022-0529.patch \ + file://CVE-2022-0530.patch \ " UPSTREAM_VERSION_UNKNOWN = "1" From patchwork Thu Jun 30 16:23:05 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 9695 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3A148CCA485 for ; Thu, 30 Jun 2022 16:23:42 +0000 (UTC) Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com [209.85.215.182]) by mx.groups.io with SMTP id smtpd.web10.27166.1656606216402472160 for ; Thu, 30 Jun 2022 09:23:36 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=8DtQoWy2; spf=softfail (domain: sakoman.com, ip: 209.85.215.182, mailfrom: steve@sakoman.com) Received: by mail-pg1-f182.google.com with SMTP id 23so18953274pgc.8 for ; Thu, 30 Jun 2022 09:23:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=e6wUicbCzBRXLTxl+aXUFZrzQsg/V5unHiyl3pyt7/8=; b=8DtQoWy2YxgJBbnGPCBijEExZSLQJ3DOJjlVeLPP6Qzd3pihb8YTtmYFYe2hoiBqvX e1f+Yki4PaZYLxK1qNUdCth2GDWcRkWK7R6c3TTKL0SIs+KZ1om0Tu+KcqqiHzfqpPfl 8Xwl3v/iKX1n9cmSdTMYzpXQLNP9vACvcIhuX/juXb+OhBOHRuMI68yOUH0VYm/Mtny0 xOhcY9dgsOTGq++59bpZ3pvah0R70me3Oliu4cgn+LaJnHbLuud6Xei+RviHml2kc9b0 LVw8+hMjdo2LKBrPNdNYy2w7TvuLR5bD6GUwOCWPTQdAqF2amL9HNbv240bnROwey/EL ul9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=e6wUicbCzBRXLTxl+aXUFZrzQsg/V5unHiyl3pyt7/8=; b=EZzZcqV7zd0edDhYEpZYPARvW/gRNTqG5lOpEYQiG083fTrT1NeWS/sztZ34Nh941Q yoMtw23i/E32y2P2U51VNMy9aAPz2EvTuaKu5Qr/9aeGHhIb2Hx3eYF2cLJ0GhPhodAv eOWJcOD5QEpMqeQ7GgGgwHS9A2+WlVjq9B8X9G/F54LwdgpftH5xARgB4W2bmvLUDjfV sCTKkxwCDU99QKRQAX8his0LQPlxDU9yAUXsT0l6S8elzo+5Q7dnbANOrIU4CIsyrjJr Bk8MiE1z7pv2mUBuj1M3U/cG6VBiaRKgIGJYjRjf7aOF6uZzobWNx8Y7z+35hWPTAojg S/JQ== X-Gm-Message-State: AJIora/cn/ZiiMrF96PUA5xDFNzklg7NuLKufjEnba36utZeEwbIe9gb gQbT4vNJ0QKMU+YK+h0JnzAjjL2Bagghk63Z X-Google-Smtp-Source: AGRyM1s9tIraAglUjjmeEBNwxqUsztet7cuUX/GMUyeYrKTOyQDbAtmRM684kYjnpADukPLB0ihpNg== X-Received: by 2002:a63:a112:0:b0:40c:450e:b1ad with SMTP id b18-20020a63a112000000b0040c450eb1admr8468921pgf.493.1656606215191; Thu, 30 Jun 2022 09:23:35 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id t129-20020a625f87000000b005259578e8fcsm10517611pfb.181.2022.06.30.09.23.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jun 2022 09:23:34 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 05/12] cve-check: add support for Ignored CVEs Date: Thu, 30 Jun 2022 06:23:05 -1000 Message-Id: <14b3c0ca46a0aa97565a24b7a5116306237d7cfe.1656605800.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 30 Jun 2022 16:23:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/167421 From: Marta Rybczynska Ignored CVEs aren't patched, but do not apply in our configuration for some reason. Up till now they were only partially supported and reported as "Patched". This patch adds separate reporting of Ignored CVEs. The variable CVE_CHECK_REPORT_PATCHED now manages reporting of both patched and ignored CVEs. Signed-off-by: Marta Rybczynska Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie (cherry-picked from c773102d4828fc4ddd1024f6115d577e23f1afe4) Signed-off-by: Steve Sakoman --- meta/classes/cve-check.bbclass | 41 ++++++++++++++++++++++++---------- 1 file changed, 29 insertions(+), 12 deletions(-) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 894cebaaa4..d0f6970db8 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -47,7 +47,9 @@ CVE_CHECK_MANIFEST_JSON ?= "${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX CVE_CHECK_COPY_FILES ??= "1" CVE_CHECK_CREATE_MANIFEST ??= "1" +# Report Patched or Ignored/Whitelisted CVEs CVE_CHECK_REPORT_PATCHED ??= "1" + CVE_CHECK_SHOW_WARNINGS ??= "1" # Provide text output @@ -142,7 +144,7 @@ python do_cve_check () { bb.fatal("Failure in searching patches") whitelisted, patched, unpatched, status = check_cves(d, patched_cves) if patched or unpatched or (d.getVar("CVE_CHECK_COVERAGE") == "1" and status): - cve_data = get_cve_info(d, patched + unpatched) + cve_data = get_cve_info(d, patched + unpatched + whitelisted) cve_write_data(d, patched, unpatched, whitelisted, cve_data, status) else: bb.note("No CVE database found, skipping CVE check") @@ -315,6 +317,7 @@ def check_cves(d, patched_cves): suffix = d.getVar("CVE_VERSION_SUFFIX") cves_unpatched = [] + cves_ignored = [] cves_status = [] cves_in_recipe = False # CVE_PRODUCT can contain more than one product (eg. curl/libcurl) @@ -349,8 +352,7 @@ def check_cves(d, patched_cves): if cve in cve_whitelist: bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve)) - # TODO: this should be in the report as 'whitelisted' - patched_cves.add(cve) + cves_ignored.append(cve) continue elif cve in patched_cves: bb.note("%s has been patched" % (cve)) @@ -362,9 +364,13 @@ def check_cves(d, patched_cves): cves_in_recipe = True vulnerable = False + ignored = False + for row in conn.execute("SELECT * FROM PRODUCTS WHERE ID IS ? AND PRODUCT IS ? AND VENDOR LIKE ?", (cve, product, vendor)): (_, _, _, version_start, operator_start, version_end, operator_end) = row #bb.debug(2, "Evaluating row " + str(row)) + if cve in cve_whitelist: + ignored = True if (operator_start == '=' and pv == version_start) or version_start == '-': vulnerable = True @@ -397,13 +403,16 @@ def check_cves(d, patched_cves): vulnerable = vulnerable_start or vulnerable_end if vulnerable: - bb.note("%s-%s is vulnerable to %s" % (pn, real_pv, cve)) - cves_unpatched.append(cve) + if ignored: + bb.note("%s is ignored in %s-%s" % (cve, pn, real_pv)) + cves_ignored.append(cve) + else: + bb.note("%s-%s is vulnerable to %s" % (pn, real_pv, cve)) + cves_unpatched.append(cve) break if not vulnerable: bb.note("%s-%s is not vulnerable to %s" % (pn, real_pv, cve)) - # TODO: not patched but not vulnerable patched_cves.add(cve) if not cves_in_product: @@ -412,7 +421,7 @@ def check_cves(d, patched_cves): conn.close() - return (list(cve_whitelist), list(patched_cves), cves_unpatched, cves_status) + return (list(cves_ignored), list(patched_cves), cves_unpatched, cves_status) def get_cve_info(d, cves): """ @@ -450,6 +459,8 @@ def cve_write_data_text(d, patched, unpatched, whitelisted, cve_data): include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split() exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split() + report_all = d.getVar("CVE_CHECK_REPORT_PATCHED") == "1" + if exclude_layers and layer in exclude_layers: return @@ -457,7 +468,7 @@ def cve_write_data_text(d, patched, unpatched, whitelisted, cve_data): return # Early exit, the text format does not report packages without CVEs - if not patched+unpatched: + if not patched+unpatched+whitelisted: return nvd_link = "https://nvd.nist.gov/vuln/detail/" @@ -467,13 +478,16 @@ def cve_write_data_text(d, patched, unpatched, whitelisted, cve_data): for cve in sorted(cve_data): is_patched = cve in patched - if is_patched and (d.getVar("CVE_CHECK_REPORT_PATCHED") != "1"): + is_ignored = cve in whitelisted + + if (is_patched or is_ignored) and not report_all: continue + write_string += "LAYER: %s\n" % layer write_string += "PACKAGE NAME: %s\n" % d.getVar("PN") write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV")) write_string += "CVE: %s\n" % cve - if cve in whitelisted: + if is_ignored: write_string += "CVE STATUS: Whitelisted\n" elif is_patched: write_string += "CVE STATUS: Patched\n" @@ -550,6 +564,8 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status): include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split() exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split() + report_all = d.getVar("CVE_CHECK_REPORT_PATCHED") == "1" + if exclude_layers and layer in exclude_layers: return @@ -576,10 +592,11 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status): for cve in sorted(cve_data): is_patched = cve in patched + is_ignored = cve in ignored status = "Unpatched" - if is_patched and (d.getVar("CVE_CHECK_REPORT_PATCHED") != "1"): + if (is_patched or is_ignored) and not report_all: continue - if cve in ignored: + if is_ignored: status = "Ignored" elif is_patched: status = "Patched" From patchwork Thu Jun 30 16:23:06 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 9694 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2A04CCCA481 for ; Thu, 30 Jun 2022 16:23:42 +0000 (UTC) Received: from mail-pj1-f43.google.com (mail-pj1-f43.google.com [209.85.216.43]) by mx.groups.io with SMTP id smtpd.web12.27453.1656606218664775094 for ; Thu, 30 Jun 2022 09:23:38 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=Ir8u37vZ; spf=softfail (domain: sakoman.com, ip: 209.85.216.43, mailfrom: steve@sakoman.com) Received: by mail-pj1-f43.google.com with SMTP id c6-20020a17090abf0600b001eee794a478so3664574pjs.1 for ; Thu, 30 Jun 2022 09:23:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=z1vozyKnZEA89Nj0n41A5BVHi5xhRnB0RDOV3xSgbEA=; b=Ir8u37vZmN71Q/+Tt7c53lYxPZ0HdcDgR1OTulwAQAwDkuXYADJefSIpykxAIoSK8v 8y2yyiwWFvQIL4JfH/MmDGACj7oELXSRMvzr+KnVlvbygdYxOp0cJdK78Ke4OD1Wt7ZC /O3zZe7qFMZzJaf2dVWOFH7Achr9LbQ9K9JXiF7YBt5ca8TQwfaGCpCJ1EpxdTxmm9GE 5+6ht31FM/HSmlvd3grHkn4GjS2TSzn6QH1Q8wnDgtL6/7fuOG68rLFV+lNWNtDmm3Qa /UGDlgOdsihtDkAhMw4+hRoPmXSuMys5RnWMJdrnHtEWj7bbWgsEq0lgSGpqksMvCzhd 5k/g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=z1vozyKnZEA89Nj0n41A5BVHi5xhRnB0RDOV3xSgbEA=; b=tTY2/AvlNJF+yjtoYl9SnqQecIC95mZwG7HkcFUw9X4wUy3DU+M8vLKveMDqqoIAIr /Z8/cGPudNQKZPSZBz/WehxOFKH7wi+t4tM86iYnW5nNUIEon7RK4Ywh8IVZknewwYif LCJpkGC4GU4lCNwV/1cIwCJPdHShMMnl+HZoZCkuCMsto0mDYXb5GnOel4yvas946MQ/ CnUnAvrsl06IDBwdaf9IEtw1/MMGu3D1wr1PUKVaT90XWHr8AWKIR/hUiLqpkQJ0QDLN 6mlPgd3kaAUI6eHTY+FnZiol3FvitkpsRimN9dePVZD9IyStJrneB3ZgCVGRjz2R3wib 0p9Q== X-Gm-Message-State: AJIora9GtxAPL1z2QulnE6PzuOxma+lZoEO6srHO8vm6dfLkdhD30N1t Jg2JlootH7xdGrlh2F9oK1XMo4yAGEXCEFiQ X-Google-Smtp-Source: AGRyM1vvusQRMNFipy1bbEEQ7kSM2tEZJbPtFJpyjcKxiDOavJlnXKrX5n4a6FdpnJ7NaODWNDjcng== X-Received: by 2002:a17:90b:388e:b0:1ec:f6b6:f31f with SMTP id mu14-20020a17090b388e00b001ecf6b6f31fmr12828207pjb.181.1656606217433; Thu, 30 Jun 2022 09:23:37 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id t129-20020a625f87000000b005259578e8fcsm10517611pfb.181.2022.06.30.09.23.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jun 2022 09:23:36 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 06/12] grub2: CVE-2021-3981 Incorrect permission in grub.cfg allow unprivileged user to read the file content Date: Thu, 30 Jun 2022 06:23:06 -1000 Message-Id: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 30 Jun 2022 16:23:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/167422 From: Hitendra Prajapati Source: https://git.savannah.gnu.org/cgit/grub.git/ MR: 116495 Type: Security Fix Disposition: Backport from https://git.savannah.gnu.org/cgit/grub.git/diff/util/grub-mkconfig.in?id=0adec29674561034771c13e446069b41ef41e4d4 ChangeID: fce3d59e50320bef247bb981352051b8f953a4fc Description: CVE-2021-3981 grub2: Incorrect permission in grub.cfg allow unprivileged user to read the file content. Affects "grub2 < 2.06" Signed-off-by: Hitendra Prajapati Signed-off-by: Steve Sakoman --- .../grub/files/CVE-2021-3981.patch | 32 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 33 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2021-3981.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3981.patch b/meta/recipes-bsp/grub/files/CVE-2021-3981.patch new file mode 100644 index 0000000000..e27027ea65 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2021-3981.patch @@ -0,0 +1,32 @@ +From 67740c43c9326956ea5cd6be77f813b5499a56a5 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati +Date: Mon, 27 Jun 2022 10:15:29 +0530 +Subject: [PATCH] CVE-2021-3981 + +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/diff/util/grub-mkconfig.in?id=0adec29674561034771c13e446069b41ef41e4d4] +CVE: CVE-2021-3981 +Signed-off-by: Hitendra Prajapati +--- + util/grub-mkconfig.in | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in +index 9f477ff..ead94a6 100644 +--- a/util/grub-mkconfig.in ++++ b/util/grub-mkconfig.in +@@ -287,7 +287,11 @@ and /etc/grub.d/* files or please file a bug report with + exit 1 + else + # none of the children aborted with error, install the new grub.cfg +- mv -f ${grub_cfg}.new ${grub_cfg} ++ oldumask=$(umask) ++ umask 077 ++ cat ${grub_cfg}.new > ${grub_cfg} ++ umask $oldumask ++ rm -f ${grub_cfg}.new + fi + fi + +-- +2.25.1 + diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 0d3f6d05da..9e98d8249d 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -95,6 +95,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://0044-script-execute-Fix-NULL-dereference-in-grub_script_e.patch \ file://0045-commands-ls-Require-device_name-is-not-NULL-before-p.patch \ file://0046-script-execute-Avoid-crash-when-using-outside-a-func.patch \ + file://CVE-2021-3981.patch\ " SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934" SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea" From patchwork Thu Jun 30 16:23:07 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 9693 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 28259CCA47B for ; Thu, 30 Jun 2022 16:23:42 +0000 (UTC) Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) by mx.groups.io with SMTP id smtpd.web10.27161.1656606204037309604 for ; Thu, 30 Jun 2022 09:23:40 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=4uil7Fhg; spf=softfail (domain: sakoman.com, ip: 209.85.214.182, mailfrom: steve@sakoman.com) Received: by mail-pl1-f182.google.com with SMTP id q18so17422962pld.13 for ; Thu, 30 Jun 2022 09:23:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=MAPUQBUNKdmxwkAoHHdKIerCaZp9I/EOCcno12iEL28=; b=4uil7FhgMX0dOBsbhdDe1+aT/bGcaouyjNcmuKC5vyhjx4LGdPWTI9d9L1uGoza5U6 a9689XX0I4Byb8WMSckOKbfo8Ywb5W8RD7PWy9U4KOfI/74V1DM5Vc9QHUgYGODMr2k5 AlyvpFG4kRd6D9S8n9yeMCcZBYZZZ5vNdPkRxoT88hwilhRVJblev8wCSG51d8OMQai+ ONMCX/4esABI0oCPJstmQOtv03jks7EpYIEb1qekyEyCM8nktdUAiXRzINIe4fiOYuol f9APj5jXjDmhEY8wI5pG5zH+syOHXRFJe9/fJgZ7/ec+u3hjZbmX3W7vfS2Z227PYxoI Cb/g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=MAPUQBUNKdmxwkAoHHdKIerCaZp9I/EOCcno12iEL28=; b=1D7WK7F3zCmCRda0zaF5/u7Iyjocb5wep0q+qYiJO/c9q3DuhlIp7ph/fVxyBcqk6n R+y9Mr9eZeK1NjqgAD1jJ8BSPflWeuKD4hfoFdVFxaaK0BlvDIcAUUtzMx7X1Iy4EoZG E796gVSLuZO4zo9NasYTDfXM1gTYGshm4uKoY00ChthUDy+j++A0D+96bjxnQzqcFYfB v7VzKNnBeewgUVK6kf4PXgaBEt/XuRd/9bbdYmGP2QOa0O5EGae+wRpykJTvd1RUTxYi t6oYuFOmGEP+kTy5KodGzKJ4freK0lYMl8XDnToWwNRFQOdJWmsLohstR/cG7liUeHAo p9dQ== X-Gm-Message-State: AJIora9vB7behztBQzdlfxwctqL44jrM78IceYjorlSionA/udyM/cvx dGJWdMnXNUPb7bvKtKHyFTsKpqCFGRtC69jv X-Google-Smtp-Source: AGRyM1vgevxPKDwlsWcY3jx6HnTnTrRFd0f1sQiAUVzMsTM6BV+TZsU252y+3wEBIjHuOrW4wOSkMQ== X-Received: by 2002:a17:90b:3b84:b0:1ec:e86c:3c34 with SMTP id pc4-20020a17090b3b8400b001ece86c3c34mr10958140pjb.174.1656606219762; Thu, 30 Jun 2022 09:23:39 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id t129-20020a625f87000000b005259578e8fcsm10517611pfb.181.2022.06.30.09.23.38 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jun 2022 09:23:39 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 07/12] oeqa/selftest/cve_check: add tests for Ignored and partial reports Date: Thu, 30 Jun 2022 06:23:07 -1000 Message-Id: <577d297babd7b399f631c8a95155265f08c5e193.1656605800.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 30 Jun 2022 16:23:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/167423 From: Marta Rybczynska Add testcases for partial reports with CVE_CHECK_REPORT_PATCHED and Ignored CVEs. Signed-off-by: Marta Rybczynska Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie (cherry-picked from 3f7639b90004973782a2e74925fd2e9a764c1090) Signed-off-by: Steve Sakoman --- meta/lib/oeqa/selftest/cases/cve_check.py | 82 +++++++++++++++++++++++ 1 file changed, 82 insertions(+) diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py b/meta/lib/oeqa/selftest/cases/cve_check.py index 2f26f606d7..d0b2213703 100644 --- a/meta/lib/oeqa/selftest/cases/cve_check.py +++ b/meta/lib/oeqa/selftest/cases/cve_check.py @@ -117,3 +117,85 @@ CVE_CHECK_FORMAT_JSON = "1" self.assertEqual(report["version"], "1") self.assertEqual(len(report["package"]), 1) self.assertEqual(report["package"][0]["name"], recipename) + + + def test_recipe_report_json_unpatched(self): + config = """ +INHERIT += "cve-check" +CVE_CHECK_FORMAT_JSON = "1" +CVE_CHECK_REPORT_PATCHED = "0" +""" + self.write_config(config) + + vars = get_bb_vars(["CVE_CHECK_SUMMARY_DIR", "CVE_CHECK_SUMMARY_FILE_NAME_JSON"]) + summary_json = os.path.join(vars["CVE_CHECK_SUMMARY_DIR"], vars["CVE_CHECK_SUMMARY_FILE_NAME_JSON"]) + recipe_json = os.path.join(vars["CVE_CHECK_SUMMARY_DIR"], "m4-native_cve.json") + + try: + os.remove(summary_json) + os.remove(recipe_json) + except FileNotFoundError: + pass + + bitbake("m4-native -c cve_check") + + def check_m4_json(filename): + with open(filename) as f: + report = json.load(f) + self.assertEqual(report["version"], "1") + self.assertEqual(len(report["package"]), 1) + package = report["package"][0] + self.assertEqual(package["name"], "m4-native") + #m4 had only Patched CVEs, so the issues array will be empty + self.assertEqual(package["issue"], []) + + self.assertExists(summary_json) + check_m4_json(summary_json) + self.assertExists(recipe_json) + check_m4_json(recipe_json) + + + def test_recipe_report_json_ignored(self): + config = """ +INHERIT += "cve-check" +CVE_CHECK_FORMAT_JSON = "1" +CVE_CHECK_REPORT_PATCHED = "1" +""" + self.write_config(config) + + vars = get_bb_vars(["CVE_CHECK_SUMMARY_DIR", "CVE_CHECK_SUMMARY_FILE_NAME_JSON"]) + summary_json = os.path.join(vars["CVE_CHECK_SUMMARY_DIR"], vars["CVE_CHECK_SUMMARY_FILE_NAME_JSON"]) + recipe_json = os.path.join(vars["CVE_CHECK_SUMMARY_DIR"], "logrotate_cve.json") + + try: + os.remove(summary_json) + os.remove(recipe_json) + except FileNotFoundError: + pass + + bitbake("logrotate -c cve_check") + + def check_m4_json(filename): + with open(filename) as f: + report = json.load(f) + self.assertEqual(report["version"], "1") + self.assertEqual(len(report["package"]), 1) + package = report["package"][0] + self.assertEqual(package["name"], "logrotate") + found_cves = { issue["id"]: issue["status"] for issue in package["issue"]} + # m4 CVE should not be in logrotate + self.assertNotIn("CVE-2008-1687", found_cves) + # logrotate has both Patched and Ignored CVEs + self.assertIn("CVE-2011-1098", found_cves) + self.assertEqual(found_cves["CVE-2011-1098"], "Patched") + self.assertIn("CVE-2011-1548", found_cves) + self.assertEqual(found_cves["CVE-2011-1548"], "Ignored") + self.assertIn("CVE-2011-1549", found_cves) + self.assertEqual(found_cves["CVE-2011-1549"], "Ignored") + self.assertIn("CVE-2011-1550", found_cves) + self.assertEqual(found_cves["CVE-2011-1550"], "Ignored") + + self.assertExists(summary_json) + check_m4_json(summary_json) + self.assertExists(recipe_json) + check_m4_json(recipe_json) From patchwork Thu Jun 30 16:23:08 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 9696 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 29E6ACCA47B for ; Thu, 30 Jun 2022 16:23:52 +0000 (UTC) Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com [209.85.216.51]) by mx.groups.io with SMTP id smtpd.web09.27533.1656606222984103892 for ; Thu, 30 Jun 2022 09:23:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=l5+mOJSP; spf=softfail (domain: sakoman.com, ip: 209.85.216.51, mailfrom: steve@sakoman.com) Received: by mail-pj1-f51.google.com with SMTP id h9-20020a17090a648900b001ecb8596e43so3381531pjj.5 for ; Thu, 30 Jun 2022 09:23:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=o/48H3F8g79evQ4Ap+HldaqCtNbKARuuw7cZtb71BoE=; b=l5+mOJSPBRB4Fg7b/TE3zIlwfjoRK4WwW8GGphQvaIATSR/vAlFcqH5YfPF0fqdMKi G9l5eJeCJbmfRFin7TVrTLfMWp0kFA3xFsVB05vV4YCPmYlTDaGG7qavicl1m21JASP7 rjKg9mQVLpvh8ZHTpNQ0JfuP5M81zf+aSF9N+G3GOVxvE8UwLhrqhPZL9p/A2miCdJpf SN5SdE1ALoW1L0cY/kR8/Djyg43U5QrLsSjpqs7nds0u2+jTS8btrUR3tx7o7Jrp5b3s ExFvsGdJC9GtLF46KVddW57rvbNOlC9rLu+NNlHccCgKYkw335eTpXAm91TmZOyf1zPs aWoA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=o/48H3F8g79evQ4Ap+HldaqCtNbKARuuw7cZtb71BoE=; b=cHb5OHlZHLpWZdP+24qWL92WioaeY/QD4XI0iyKhawEh8ncuFrM0eT1GJUwtvk5Hny LS+4KAFS21Gi8cCJX0kussb2i1yWB6neMB6R9tj8wEqP8KwNJXjUen7HHM9/KUAQyr/S wyUlNtu+JGBOHCyLMa4xgbqyDz6JwfvjA0+r/SXArI9hmT6viY2AOXpoORm+Th+b2Qxu ZjbcbF1HSK0lBUKXSSkLXWeCm3x7yq4a6V+dmcTedRqZ/EmNwbd8pJ7Jdhvp0KkkBfOf 6asZLrcKKPOPBK8l4rmVtswqV+Shg32PuFuTBKi7fBq/iI76uvkn5OpN1eGb5YY8qKI7 xB/g== X-Gm-Message-State: AJIora8PyHYvlhscJyUKStGBvTT/fAhzEaNeACGGQ+oys7Ct1AhyPSWS lXkTLwknVTp/1XUs7xtyEDxV1slQgPCh2zsZ X-Google-Smtp-Source: AGRyM1ubrDEDkOOKZ7hPncGiUVFdPs/eRRV0K50s2PZSonJQPNrKKZpx/EVRja4YrQF3ZZ2j6XYqSQ== X-Received: by 2002:a17:90b:3a8d:b0:1ef:7d4:6a5f with SMTP id om13-20020a17090b3a8d00b001ef07d46a5fmr11028117pjb.139.1656606221867; Thu, 30 Jun 2022 09:23:41 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id t129-20020a625f87000000b005259578e8fcsm10517611pfb.181.2022.06.30.09.23.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jun 2022 09:23:41 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 08/12] wireless-regdb: upgrade 2022.04.08 -> 2022.06.06 Date: Thu, 30 Jun 2022 06:23:08 -1000 Message-Id: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 30 Jun 2022 16:23:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/167424 From: Alexander Kanavin Signed-off-by: Alexander Kanavin Signed-off-by: Luca Ceresoli Signed-off-by: Richard Purdie (cherry picked from commit 4c27711292f93dfad1ffdeab6d715becad32a4ff) Signed-off-by: Steve Sakoman --- ...ireless-regdb_2022.04.08.bb => wireless-regdb_2022.06.06.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2022.04.08.bb => wireless-regdb_2022.06.06.bb} (94%) diff --git a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2022.04.08.bb b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2022.06.06.bb similarity index 94% rename from meta/recipes-kernel/wireless-regdb/wireless-regdb_2022.04.08.bb rename to meta/recipes-kernel/wireless-regdb/wireless-regdb_2022.06.06.bb index ad6ba8dc8b..91775bce5c 100644 --- a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2022.04.08.bb +++ b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2022.06.06.bb @@ -5,7 +5,7 @@ LICENSE = "ISC" LIC_FILES_CHKSUM = "file://LICENSE;md5=07c4f6dea3845b02a18dc00c8c87699c" SRC_URI = "https://www.kernel.org/pub/software/network/${BPN}/${BP}.tar.xz" -SRC_URI[sha256sum] = "884ba2e3c1e8b98762b6dc25ff60b5ec75c8d33a39e019b3ed4aa615491460d3" +SRC_URI[sha256sum] = "ac00f97efecce5046ed069d1d93f3365fdf994c7c7854a8fc50831e959537230" inherit bin_package allarch From patchwork Thu Jun 30 16:23:09 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 9700 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 352E7CCA480 for ; Thu, 30 Jun 2022 16:23:52 +0000 (UTC) Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) by mx.groups.io with SMTP id smtpd.web08.27230.1656606225068557096 for ; Thu, 30 Jun 2022 09:23:45 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=vJyHryzM; spf=softfail (domain: sakoman.com, ip: 209.85.214.172, mailfrom: steve@sakoman.com) Received: by mail-pl1-f172.google.com with SMTP id m14so17474059plg.5 for ; Thu, 30 Jun 2022 09:23:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=fF8k5f5bM7j4obN3txkWBMpiIGGYy4BrJbv+uPJvASU=; b=vJyHryzM4Wzw9jCdzNUMgvBLHoUuxPVuTCpj9g2EIu2mXzQNAZ0qbDTsMENWlEZZoI jGq2z8t4162rkZ8QlWlaqb44ywx3YfmGAmBYuyDvUmcnUHk+5bEQwVi7xcCZQ76GOrTr tfyLZFeLyowU6AHbQ8tKeLqEwv7OC+dOGEyKX1sXpJ2rzU5C7d5H8RcLFN2ylYNq01PH HQj5SzkiS7Xe31hQOKfwEsCQ+IgWl2Qrl0oCewa+daMfFs2SxzP468IvlhcU2cv7Z5Pi /M1CoA+UcGn88CjReuGFLUV7Sf5T6ceVQNv5wjGuxFFKiq+CtelxyLHHTp08qEEgtv5b EFaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=fF8k5f5bM7j4obN3txkWBMpiIGGYy4BrJbv+uPJvASU=; b=L1dKTEkRqxp85ZRZt5v6F3DGzsYuju7NgXmm8rgc6elvLINMsQiHCnZNLBNOQ4Ur1/ kO3g1zMcfvuqKGYzo1NagHb2H0GZShSQBvHOxsaBpsDkNtedbAQ3kFFnD3qE7gXDZ4HM hblfEDzSRj/G/ALk6rHrmK0bQldYDtav28Pcqlok7BrAkIq0Mc+gEgs8jdZyiOuBdLmd hVyt9krDW4PZjGWYYux7PfmEOI4e2VWfMfvzcOVQT/eSPql7CnvbvSNfGdcNhYKhFc0H 4ZpPnEvqhzyh/VHlF+TKzRcboNLR/K+GXterTGnRRnZa5ueJeDu3Xh7MYHbUy7qkofAJ LcmQ== X-Gm-Message-State: AJIora/ogL/jCVintC4LweMgRDKwkQVW1zVLmhr/yX8Lo2+BPvSQpG0e Y5wQkZ2ZMberhE0ZJSYWWQJ8B+GezEGDGUSz X-Google-Smtp-Source: AGRyM1t3rW5YtkWUk2nwDIP1mG0q38CDESMafuBRMrFyxOUpq1fttMA/q9o3cCOZANzkJqoY9yC88g== X-Received: by 2002:a17:90a:ea07:b0:1ec:fe4f:f850 with SMTP id w7-20020a17090aea0700b001ecfe4ff850mr10991034pjy.59.1656606223856; Thu, 30 Jun 2022 09:23:43 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id t129-20020a625f87000000b005259578e8fcsm10517611pfb.181.2022.06.30.09.23.42 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jun 2022 09:23:43 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 09/12] lttng-modules: Backport Linux 5.18+, 5.15.44+, 5.10.119+ fixes Date: Thu, 30 Jun 2022 06:23:09 -1000 Message-Id: <9f301f5563df868626d624c2d0781dae1b81a4c0.1656605800.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 30 Jun 2022 16:23:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/167425 From: Marek Vasut The Linux kernel commit 14c174633f349 ("random: remove unused tracepoints") removed unused tracepoints and has been backported to stable Linux kernel releases. This causes build failure of lttng-modules: " lttng-modules-2.11.6/probes/lttng-probe-random.c:18:10: fatal error: trace/events/random.h: No such file or directory | 18 | #include | | ^~~~~~~~~~~~~~~~~~~~~~~ | compilation terminated. " Backport patches from lttng-modules master branch to address the build failure on all of Linux 5.18.y, 5.15.y 5.10.y, 5.4, 4.19, 4.14, and 4.9 kernel versions. Signed-off-by: Marek Vasut Cc: Bruce Ashfield Cc: Steve Sakoman Signed-off-by: Steve Sakoman --- ...ndom-remove-unused-tracepoints-v5.18.patch | 46 +++++++++++++++++ ...emove-unused-tracepoints-v5.10-v5.15.patch | 45 ++++++++++++++++ ...racepoints-removed-in-stable-kernels.patch | 51 +++++++++++++++++++ .../lttng/lttng-modules_2.11.6.bb | 3 ++ 4 files changed, 145 insertions(+) create mode 100644 meta/recipes-kernel/lttng/lttng-modules/0017-fix-random-remove-unused-tracepoints-v5.18.patch create mode 100644 meta/recipes-kernel/lttng/lttng-modules/0018-fix-random-remove-unused-tracepoints-v5.10-v5.15.patch create mode 100644 meta/recipes-kernel/lttng/lttng-modules/0019-fix-random-tracepoints-removed-in-stable-kernels.patch diff --git a/meta/recipes-kernel/lttng/lttng-modules/0017-fix-random-remove-unused-tracepoints-v5.18.patch b/meta/recipes-kernel/lttng/lttng-modules/0017-fix-random-remove-unused-tracepoints-v5.18.patch new file mode 100644 index 0000000000..3fc7fd733d --- /dev/null +++ b/meta/recipes-kernel/lttng/lttng-modules/0017-fix-random-remove-unused-tracepoints-v5.18.patch @@ -0,0 +1,46 @@ +From 25b70c486bb96de0caf7cea1da42ed07801cca84 Mon Sep 17 00:00:00 2001 +From: Michael Jeanson +Date: Mon, 4 Apr 2022 14:33:42 -0400 +Subject: [PATCH 17/19] fix: random: remove unused tracepoints (v5.18) + +See upstream commit : + + commit 14c174633f349cb41ea90c2c0aaddac157012f74 + Author: Jason A. Donenfeld + Date: Thu Feb 10 16:40:44 2022 +0100 + + random: remove unused tracepoints + + These explicit tracepoints aren't really used and show sign of aging. + It's work to keep these up to date, and before I attempted to keep them + up to date, they weren't up to date, which indicates that they're not + really used. These days there are better ways of introspecting anyway. + +Upstream-Status: Backport [369d82bb1746447514c877088d7c5fd0f39140f8] +Change-Id: I3b8c3e2732e7efdd76ce63204ac53a48784d0df6 +Signed-off-by: Michael Jeanson +Signed-off-by: Mathieu Desnoyers +--- + probes/Kbuild | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/probes/Kbuild b/probes/Kbuild +index 3ae2d39e..58da82b8 100644 +--- a/probes/Kbuild ++++ b/probes/Kbuild +@@ -215,8 +215,11 @@ ifneq ($(CONFIG_FRAME_WARN),0) + CFLAGS_lttng-probe-printk.o += -Wframe-larger-than=2200 + endif + ++# Introduced in v3.6, remove in v5.18 + obj-$(CONFIG_LTTNG) += $(shell \ +- if [ $(VERSION) -ge 4 \ ++ if [ \( ! \( $(VERSION) -ge 6 -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -ge 18 \) \) \) \ ++ -a \ ++ $(VERSION) -ge 4 \ + -o \( $(VERSION) -eq 3 -a $(PATCHLEVEL) -ge 6 \) \ + -o \( $(VERSION) -eq 3 -a $(PATCHLEVEL) -eq 5 -a $(SUBLEVEL) -ge 2 \) \ + -o \( $(VERSION) -eq 3 -a $(PATCHLEVEL) -eq 4 -a $(SUBLEVEL) -ge 9 \) \ +-- +2.35.1 + diff --git a/meta/recipes-kernel/lttng/lttng-modules/0018-fix-random-remove-unused-tracepoints-v5.10-v5.15.patch b/meta/recipes-kernel/lttng/lttng-modules/0018-fix-random-remove-unused-tracepoints-v5.10-v5.15.patch new file mode 100644 index 0000000000..5c324a9bde --- /dev/null +++ b/meta/recipes-kernel/lttng/lttng-modules/0018-fix-random-remove-unused-tracepoints-v5.10-v5.15.patch @@ -0,0 +1,45 @@ +From da956d1444139883f5d01078d945078738ffade4 Mon Sep 17 00:00:00 2001 +From: He Zhe +Date: Thu, 2 Jun 2022 06:36:08 +0000 +Subject: [PATCH 18/19] fix: random: remove unused tracepoints (v5.10, v5.15) + +The following kernel commit has been back ported to v5.10.119 and v5.15.44. + +commit 14c174633f349cb41ea90c2c0aaddac157012f74 +Author: Jason A. Donenfeld +Date: Thu Feb 10 16:40:44 2022 +0100 + + random: remove unused tracepoints + + These explicit tracepoints aren't really used and show sign of aging. + It's work to keep these up to date, and before I attempted to keep them + up to date, they weren't up to date, which indicates that they're not + really used. These days there are better ways of introspecting anyway. + +Upstream-Status: Backport [1901e0eb58795e850e8fdcb5e1c235e4397b470d] +Signed-off-by: He Zhe +Signed-off-by: Mathieu Desnoyers +Change-Id: I0b7eb8aa78b5bd2039e20ae3e1da4c5eb9018789 +--- + probes/Kbuild | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/probes/Kbuild b/probes/Kbuild +index 58da82b8..87f2d681 100644 +--- a/probes/Kbuild ++++ b/probes/Kbuild +@@ -217,7 +217,10 @@ endif + + # Introduced in v3.6, remove in v5.18 + obj-$(CONFIG_LTTNG) += $(shell \ +- if [ \( ! \( $(VERSION) -ge 6 -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -ge 18 \) \) \) \ ++ if [ \( ! \( $(VERSION) -ge 6 \ ++ -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -ge 18 \) \ ++ -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -eq 15 -a $(SUBLEVEL) -ge 44 \) \ ++ -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -eq 10 -a $(SUBLEVEL) -ge 119\) \) \) \ + -a \ + $(VERSION) -ge 4 \ + -o \( $(VERSION) -eq 3 -a $(PATCHLEVEL) -ge 6 \) \ +-- +2.35.1 + diff --git a/meta/recipes-kernel/lttng/lttng-modules/0019-fix-random-tracepoints-removed-in-stable-kernels.patch b/meta/recipes-kernel/lttng/lttng-modules/0019-fix-random-tracepoints-removed-in-stable-kernels.patch new file mode 100644 index 0000000000..73ba4d06bc --- /dev/null +++ b/meta/recipes-kernel/lttng/lttng-modules/0019-fix-random-tracepoints-removed-in-stable-kernels.patch @@ -0,0 +1,51 @@ +From 2c98e0cd03eba0aa935796bc7413c51b5e4b055c Mon Sep 17 00:00:00 2001 +From: Michael Jeanson +Date: Tue, 31 May 2022 15:24:48 -0400 +Subject: [PATCH 19/19] fix: 'random' tracepoints removed in stable kernels + +The upstream commit 14c174633f349cb41ea90c2c0aaddac157012f74 removing +the 'random' tracepoints is being backported to multiple stable kernel +branches, I don't see how that qualifies as a fix but here we are. + +Use the presence of 'include/trace/events/random.h' in the kernel source +tree instead of the rather tortuous version check to determine if we +need to build 'lttng-probe-random.ko'. + +Upstream-Status: Backport [ed1149ef88fb62c365ac66cf62c58ac6abd8d7e8] +Change-Id: I8f5f2f4c9e09c61127c49c7949b22dd3fab0460d +Signed-off-by: Michael Jeanson +Signed-off-by: Mathieu Desnoyers +--- + probes/Kbuild | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +diff --git a/probes/Kbuild b/probes/Kbuild +index 87f2d681..f09d6b65 100644 +--- a/probes/Kbuild ++++ b/probes/Kbuild +@@ -216,18 +216,10 @@ ifneq ($(CONFIG_FRAME_WARN),0) + endif + + # Introduced in v3.6, remove in v5.18 +-obj-$(CONFIG_LTTNG) += $(shell \ +- if [ \( ! \( $(VERSION) -ge 6 \ +- -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -ge 18 \) \ +- -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -eq 15 -a $(SUBLEVEL) -ge 44 \) \ +- -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -eq 10 -a $(SUBLEVEL) -ge 119\) \) \) \ +- -a \ +- $(VERSION) -ge 4 \ +- -o \( $(VERSION) -eq 3 -a $(PATCHLEVEL) -ge 6 \) \ +- -o \( $(VERSION) -eq 3 -a $(PATCHLEVEL) -eq 5 -a $(SUBLEVEL) -ge 2 \) \ +- -o \( $(VERSION) -eq 3 -a $(PATCHLEVEL) -eq 4 -a $(SUBLEVEL) -ge 9 \) \ +- -o \( $(VERSION) -eq 3 -a $(PATCHLEVEL) -eq 0 -a $(SUBLEVEL) -ge 41 \) ] ; then \ +- echo "lttng-probe-random.o" ; fi;) ++random_dep = $(srctree)/include/trace/events/random.h ++ifneq ($(wildcard $(random_dep)),) ++ obj-$(CONFIG_LTTNG) += lttng-probe-random.o ++endif + + obj-$(CONFIG_LTTNG) += $(shell \ + if [ $(VERSION) -ge 4 \ +-- +2.35.1 + diff --git a/meta/recipes-kernel/lttng/lttng-modules_2.11.6.bb b/meta/recipes-kernel/lttng/lttng-modules_2.11.6.bb index 3145f0298c..76b9f13618 100644 --- a/meta/recipes-kernel/lttng/lttng-modules_2.11.6.bb +++ b/meta/recipes-kernel/lttng/lttng-modules_2.11.6.bb @@ -28,6 +28,9 @@ SRC_URI = "https://lttng.org/files/${BPN}/${BPN}-${PV}.tar.bz2 \ file://0014-Revert-fix-include-order-for-older-kernels.patch \ file://0015-fix-backport-of-fix-tracepoint-Optimize-using-static.patch \ file://0016-fix-adjust-version-range-for-trace_find_free_extent.patch \ + file://0017-fix-random-remove-unused-tracepoints-v5.18.patch \ + file://0018-fix-random-remove-unused-tracepoints-v5.10-v5.15.patch \ + file://0019-fix-random-tracepoints-removed-in-stable-kernels.patch \ " SRC_URI[md5sum] = "8ef09fdfcdec669d33f7fc1c1c80f2c4" From patchwork Thu Jun 30 16:23:10 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 9697 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3164BCCA481 for ; Thu, 30 Jun 2022 16:23:52 +0000 (UTC) Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) by mx.groups.io with SMTP id smtpd.web09.27538.1656606226849583453 for ; Thu, 30 Jun 2022 09:23:46 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=Nu/STcgG; spf=softfail (domain: sakoman.com, ip: 209.85.214.170, mailfrom: steve@sakoman.com) Received: by mail-pl1-f170.google.com with SMTP id jb13so17456045plb.9 for ; Thu, 30 Jun 2022 09:23:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=1B/5JfIrQ+0U7OL5psv0rkXLTstVLn2q+CVqmSoy3xw=; b=Nu/STcgGggxGOJNt4FUGGwfJSq1+dn4xOsfXxDxrLOu6l9p7T9rXRl96OIDiZVhdL/ FoCycOCuwZxzJfUnFxZPga5Rm4XKZTD19FPUcSoG8G3Q6f39PeQIwu7xDYqWdpHOWffV Ocg03735XtP6kEzggxauomeQJXdc5gJ46wOvr9PcvdFNPXbXPfcjK/XQeDGKWit/AF2P hpapKkTz0U3zX8D9FLr3QnMw61bQcsOhlWdaTq0JHwIoYiUSPyuvI8kqnGWtBpEz8P9B LwWe9Riy/eW6znHG+mk+3AhhZtjajW0XSXvcSSHNn+aBq7kt4ku/oHD7ccQtwFmZq8vZ gu2Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=1B/5JfIrQ+0U7OL5psv0rkXLTstVLn2q+CVqmSoy3xw=; b=y1XF3RNZuK27BsDYXp8HjYdD4Ws7NJjOqtHkzjf5D3pd50CQKDSVttHCRfZcZjJmO/ I51ta5rRQE5Lh3vR0A+vOkeoPM+vjnEYUiUdkte5ST6+P4Os0Vs+I/+PRJtlqJvK1VYo uA9OBwRkG9e2yDnOZ14+mEhDaAvaURQfH8pYO5atgZ2wfmPmMgv1ifSQHbMih61fisDi cwab0j3xuVSDyCmpsXL9O1erdVOrvkkUqOVovEfUu8us2G3jCA8c1vaOUK8BJ5n6cXbr c/OpsJPGdp4jzcnZ1bzKQ/EQ1m9NOCgXOTRoPQbQUvqGB/dOtgOhs5orAE/uAaI7XeMW yj7g== X-Gm-Message-State: AJIora9y2//FOWpPu676Sm0SjbTbNLYVbmFeaPXQdGjp3ggEI5awAiw1 EzggvqUuG0kJx+eb93T6J4fcJLai981S4rb3 X-Google-Smtp-Source: AGRyM1st9f4hClc3Ehm1iWPnIwGSu6JYTvDa80xGRgppaTWW0X7y2Dz0Be5RQ4JAhf2RP2HRQ/3VOQ== X-Received: by 2002:a17:90a:5207:b0:1ee:dfa1:afa9 with SMTP id v7-20020a17090a520700b001eedfa1afa9mr11111232pjh.246.1656606225835; Thu, 30 Jun 2022 09:23:45 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id t129-20020a625f87000000b005259578e8fcsm10517611pfb.181.2022.06.30.09.23.44 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jun 2022 09:23:45 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 10/12] initramfs-framework: move storage mounts to actual rootfs Date: Thu, 30 Jun 2022 06:23:10 -1000 Message-Id: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 30 Jun 2022 16:23:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/167426 From: Muhammad Hamza Operations such as mkfs fail on devices that are not switched to the actual rootfs before switch_root is called. The kernel interprets these devices as still being used even after unmounting and errors such as below are seen when the target is fully booted root@v1000:~# umount /dev/sdb1 root@v1000:~# mkfs.ext4 /dev/sdb1 mke2fs 1.43.8 (1-Jan-2018) /dev/sdb1 contains a ext4 file system last mounted on Wed Nov 28 07:33:54 2018 Proceed anyway? (y,N) y /dev/sdb1 is apparently in use by the system; will not make a filesystem here! Signed-off-by: Awais Belal Signed-off-by: Muhammad Hamza Signed-off-by: Alexandre Belloni (cherry picked from commit ec53ffd01972d1be2d6a28de828b3f0b80dc1e61) Signed-off-by: Steve Sakoman --- .../initrdscripts/initramfs-framework/finish | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/meta/recipes-core/initrdscripts/initramfs-framework/finish b/meta/recipes-core/initrdscripts/initramfs-framework/finish index 717383ebac..dee3ab3387 100755 --- a/meta/recipes-core/initrdscripts/initramfs-framework/finish +++ b/meta/recipes-core/initrdscripts/initramfs-framework/finish @@ -14,6 +14,15 @@ finish_run() { info "Switching root to '$ROOTFS_DIR'..." + debug "Moving basic mounts onto rootfs" + for dir in `awk '/\/dev.* \/run\/media/{print $2}' /proc/mounts`; do + # Parse any OCT or HEX encoded chars such as spaces + # in the mount points to actual ASCII chars + dir=`printf $dir` + mkdir -p "${ROOTFS_DIR}/media/${dir##*/}" + mount -n --move "$dir" "${ROOTFS_DIR}/media/${dir##*/}" + done + debug "Moving /dev, /proc and /sys onto rootfs..." mount --move /dev $ROOTFS_DIR/dev mount --move /proc $ROOTFS_DIR/proc From patchwork Thu Jun 30 16:23:11 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 9699 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 24D87C433EF for ; Thu, 30 Jun 2022 16:23:52 +0000 (UTC) Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) by mx.groups.io with SMTP id smtpd.web08.27230.1656606225068557096 for ; Thu, 30 Jun 2022 09:23:48 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=b1t17qi2; spf=softfail (domain: sakoman.com, ip: 209.85.214.172, mailfrom: steve@sakoman.com) Received: by mail-pl1-f172.google.com with SMTP id m14so17474059plg.5 for ; Thu, 30 Jun 2022 09:23:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=AfecorovfXOaAAtaGwLAteIZDyCqppEbI2YFf4h1hrg=; b=b1t17qi2pL77je5DiT9ZrXcJk6DeV1EJpDgj5iYW9OlNDvhpIBbVWdqtGwI40PsR7g Ok5iZyOES+cx+mwIm9Z1UghNmRV5zlnuyC9urcfR7fQpVEaTBjh5XEqpZiUeuOHCq7e5 i3G7g8TQ37bvuN0NoLfOr6rvz91N/CtCtobbKZPlq6EBHaAvFeNjGsQ6JbGdi05V0jTe 01xYDNXmJqAFuIRyDTULTDx/2poIwjPfgs1JB8oeZhyHO3htvQcZFCa1vw0uwr3VfSz4 ckuoQQL1VgtkiNEmfwR0Muhpipma34s6wslLfOd2TkgEBfw+D9T4kG4MhOhW6qtPrfP2 LLuA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=AfecorovfXOaAAtaGwLAteIZDyCqppEbI2YFf4h1hrg=; b=qnPAL9exyrsM6D5PJ8dYIdxHCzdKBmxJc1+arYYsEZ4yj1HyL4asLiLNP61OYSABa/ QZlB2MGs3Jg29CvbTIsYZRcy0uc4mnszddtNimzmrMJmIc70L7UniK7bycf0esDzfKjY SpDRRvsbGAb7isaEyKeqnfMYUNt1DaMbQctVq36tuBOZHSeKVmwejsQyjtTWhmPsZZyG AARJrCeDhrr/DYqp6e/s3RGPro8BQA9lqisqaSmc1Xstskrq56hhGUX12SaKqTwavTse YIGLxONmURzqolm8fOeoNrYRFWxPop/ACWwzGDo3wPAusY63J/+0s2wHTpHiR0dOZahR qVvQ== X-Gm-Message-State: AJIora/wFyZgUeE3SdLMDM2w+aYYsagPbzdpgHF5QeFCz9m3kv4gUhu6 ZcyO3XFKEE4r9+xxsT5FavNKvfUYBraH1GmX X-Google-Smtp-Source: AGRyM1uFO9B2jeDlxvhhWTQTZwQazZMoQvTXhkzxTW199wjGt/bL7IiQgVGC7KaXXj/L4qchb45rRg== X-Received: by 2002:a17:90b:1a81:b0:1ed:3c0:3abb with SMTP id ng1-20020a17090b1a8100b001ed03c03abbmr11362293pjb.5.1656606227884; Thu, 30 Jun 2022 09:23:47 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id t129-20020a625f87000000b005259578e8fcsm10517611pfb.181.2022.06.30.09.23.46 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jun 2022 09:23:47 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 11/12] wic: fix WicError message Date: Thu, 30 Jun 2022 06:23:11 -1000 Message-Id: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 30 Jun 2022 16:23:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/167427 From: Martin Jansa * add missing % to print the values instead of: | INFO: Build artifacts not found, exiting. | INFO: (Please check that the build artifacts for the machine | INFO: selected in local.conf actually exist and that they | INFO: are the correct artifacts for the image (.wks file)). | | ERROR: ("The artifact that couldn't be found was %s:\n %s", 'kernel-dir', '/OE/build/deploy/images/qemux86-64') Signed-off-by: Martin Jansa Signed-off-by: Luca Ceresoli Signed-off-by: Richard Purdie (cherry picked from commit e104c2b1273d8c5bd97893f318bf2a2699ef7f2d) Signed-off-by: Steve Sakoman --- scripts/wic | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/wic b/scripts/wic index 6547abe0e9..99a8a97ccb 100755 --- a/scripts/wic +++ b/scripts/wic @@ -206,7 +206,7 @@ def wic_create_subcommand(options, usage_str): logger.info(" (Please check that the build artifacts for the machine") logger.info(" selected in local.conf actually exist and that they") logger.info(" are the correct artifacts for the image (.wks file)).\n") - raise WicError("The artifact that couldn't be found was %s:\n %s", not_found, not_found_dir) + raise WicError("The artifact that couldn't be found was %s:\n %s" % (not_found, not_found_dir)) krootfs_dir = options.rootfs_dir if krootfs_dir is None: From patchwork Thu Jun 30 16:23:12 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 9698 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2858AC43334 for ; Thu, 30 Jun 2022 16:23:52 +0000 (UTC) Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com [209.85.216.47]) by mx.groups.io with SMTP id smtpd.web11.27121.1656606231054091753 for ; Thu, 30 Jun 2022 09:23:51 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=mfDdukWw; spf=softfail (domain: sakoman.com, ip: 209.85.216.47, mailfrom: steve@sakoman.com) Received: by mail-pj1-f47.google.com with SMTP id d14so19239577pjs.3 for ; Thu, 30 Jun 2022 09:23:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=ix7TNWOxEorgglXbgd4k33GU7kZMg3LWWbAzBJmLKxw=; b=mfDdukWwh0eSAgdnRg5eeQebrarJ55VqHqRmnxhDHdK/g6fozD8veqM/8AtDU9MsqT r8uu6YnICKqhCw5s81jCTRTRCNIjCo94ajM1LMkqZNA/yk2yNQJykJhos9FiUPU7Ui5h +fSe8TJp7+WwriqzGsAw6LeeUTQUwORYlWy834nVXBvWD+QRpFR9+Tj/V1A/he2MT5ke hNG1NKUSawII4EXE749NDiyopuRjrMi/+JZQgLTgM92uGZRQ2QjaLfnyrk9Uv78OmrXl 5mL6r1I6CEhuKTMN8jrxYke0jIHdaIpKFujmOXq9i5auYv9ryZK/4trt+YbE+CJ8VmxE +9pA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ix7TNWOxEorgglXbgd4k33GU7kZMg3LWWbAzBJmLKxw=; b=5SYcsexTA8DhyiI24awXzYPp5CXlTbsKla45HVQocZc4hw3qeyqpxlqm/FH4fVHphJ Gr4eCKJ3Kw1AfO3YRowinrLXFF9YlyjUuWcVfUlJxst6DSxv5URC4eYsut+Kjve1zbAO NcwSzRzMgK2u4EQbHuo+Fdn3rdLZrh5nqxFCQctUQEkSDh6A2Q+9nOhBSnyhMiZJR1zF V0AxvehK4tJTEXJXHR+zba1dmo7eRynwv+glSujUlbxaJVbPOGhPh4wdyY5UhI/QC7Ic bx980IOSLcGsX/rEfgJSZy14/So2IOXDLKdRur12EfEfH9uOXthWe7zvtbX2poqaa1Wp xhEw== X-Gm-Message-State: AJIora/JX7/4m0F9kuQehfUKKk7t7NOLBZRsqcvBM4HiA21KL1VFwm12 ingNp8qig3BsBwY7Rwe19iHjK29WKDhxkUzO X-Google-Smtp-Source: AGRyM1tUSkFdjVYzKgej97bWoYkZFc96pdZFIuEjZiAqqvW1Nhz3716VuU37j+KLakWRL1Rj+7lGUg== X-Received: by 2002:a17:90b:4f4e:b0:1ec:a71c:4148 with SMTP id pj14-20020a17090b4f4e00b001eca71c4148mr11114107pjb.124.1656606230075; Thu, 30 Jun 2022 09:23:50 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id t129-20020a625f87000000b005259578e8fcsm10517611pfb.181.2022.06.30.09.23.48 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jun 2022 09:23:49 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 12/12] insane.bbclass: host-user-contaminated: Correct per package home path Date: Thu, 30 Jun 2022 06:23:12 -1000 Message-Id: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 30 Jun 2022 16:23:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/167428 From: Ahmed Hossam The current home path that is compared against is incorrect as it is missing the package name, this patch adds it. [YOCTO #14553] Signed-off-by: Ahmed Hossam Signed-off-by: Luca Ceresoli (cherry picked from commit ae8f22d9e2694eea5ede3b31c6f3bca404ea4a5a) Signed-off-by: Steve Sakoman --- meta/classes/insane.bbclass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/classes/insane.bbclass b/meta/classes/insane.bbclass index eb19425652..77a2039738 100644 --- a/meta/classes/insane.bbclass +++ b/meta/classes/insane.bbclass @@ -945,7 +945,7 @@ def package_qa_check_host_user(path, name, d, elf, messages): dest = d.getVar('PKGDEST') pn = d.getVar('PN') - home = os.path.join(dest, 'home') + home = os.path.join(dest, name, 'home') if path == home or path.startswith(home + os.sep): return